Over the past year we’ve been taking a more proactive approach to reducing the number of open DNS resolvers accessible through JANET. The community’s assistance with these efforts have led to a huge reduction in their numbers. At times our investigations into specific DNS servers have revealed mistakes and oversights in the configuration of DNS servers and data that potentially leave the service with less resilience than expected.

Perhaps the most common mistakes are lame NS records – NS records that are unusable for one reason or another. In a recent test of DNS data we found that over 5% of NS records were either unresolvable or resolved to reserved IP addresses. In a few cases NS records pointed to names that were not valid in the global DNS.

You should regularly check the consistency of your DNS data and a number of freely available tools can help you with this. ZoneCheck is our tools of choice as it is freely available and the checks performed can be tailored to the unique environments found on JANET, eliminating several false positives.

We’ve been asked if we had an idea of how the types of incident we deal with vary by sector. We’ve not been directly recording this information, so it’s taken some scripting and estimation to pull out some reasonable figures from our incidents database (dating back to December 2007). The graph above is the result, but there are some limitations:

• It’s not always easy to identify the institution involved in an incident. Sometimes no institution is involved, sometimes multiple institutions are involved, names change, and on occasion the information was incorrectly recorded. Where the institution cannot be identified I’ve left the figures out.
• Institutions can move between sectors.
• Classification of incidents has changed. Most importantly, incidents classed as malware were previously classed as compromises.
• Other includes a wide variety of institutions: local government, sixth form colleges, museums, commercial organisations and so on

Due to these limitations the labeling has been moved from the Y-axis to avoid giving false impressions about the absolute numbers involved, but I hope that the graph gives a relative idea of the types of incidents we see in different sectors of our community. If you have any questions please contact us.

Based on feedback and advice from the community we’ve produced a factsheet that briefly covers the most frequently asked questions we receive about penetration testing. The document covers some of the common terminology and services, why you might be looking for penetration testing services, and what to look for in a potential supplier.

I’m Lee Harrigan the new CSIRT Team Member working at JANET(UK). Before starting at the JANET(UK) I worked for the University of Glamorgan, firstly as a desktop support officer for two and a half years and then within the networking team for just over four years. Within the networking team it fell to my responsibility to investigate reported security incidents and to liaise with other teams regarding said incidents. I have a Degree in Network Administration and Security and recently received an MSc in Computer Systems Security, in which my main topic of interest was using netflow or sflow within a intrusion detection environment. I wrote a custom application that would detect different types of threats, report against them and create firewall rules automatically which could then be used to mitigate the attack.

Before I was involved in computing I used to teach sailing for local councils around the London area and also for the Sea Cadets. I have a personal interest in intrusion detection and prevention, and in my spare time I enjoy updating my personal computing knowledge, playing computer games, LAN parties, playing badminton and squash.

I am looking forward to assisting the community in my time at JANET(UK) and hope I can be of assistance to you all.

There’s been a considerable amount of interest since last year’s CSIRT Conference in the setting up of a group for the operational discussion of Intrusion Detection Systems as used on JANET.

We’ve started a group and mailing list that we hope that will fulfill this need, and we hope will be community led with some interesting output and possible participation at future events. We’ve tried to create an environment in which people are comfortable sharing operational information but without creating an overly high barrier to participation, and so the rules for participation are slightly different to our existing mailing lists. Further information can be found on the group’s page.

JANET CSIRT runs the JISCMAIL announcement list, UK-SECURITY-ANNOUNCE for sending import, urgent and relevant announcements to all our security contacts. It’s membership is strictly defined as the set of all security contacts we have on record. This stricter rule, in contrast to our discussion list, is so that we have a conduit to disseminate sensitive information.

Due to bad house keeping, the list subscriptions and our contacts database were out of sync, and today we have attempted to fix this, removing addresses which do not appear to belong to current security contacts, and adding addresses for security contacts who do not appear to be subscribed. You may now find yourself subscribed to this list where previously you were not. If you believe this was in error, please contact us.

A vacancy has arisen in the team. We are looking for someone with solid networking and security skills, with knowledge of Linux or Windows administration, and great communication skills to join our team.

Further information on the job and the application process are available.

As you may have heard the University of Exeter has been dealing with a malware outbreak. The virus appears to be unknown, certainly to Symantec and Trend, and was first detected by high levels of traffic on their network and onto JANET. Whilst the malware has not yet been analysed it appears to have aspects of both a Trojan and a “dropper”.

The malware appears to exploit Windows Vista systems and early indications are that installing Microsoft update KB975517 prevents infection. It is not yet certain if the update provides complete protection.

http://support.microsoft.com/kb/975517

The outbreak is currently being investigated by Symantec and Microsoft and we hope to have further information within a few days.

The Shadowserver Foundation have produced a set of statistics that detail the number of infections of the Conficker infections per ASN. The statistics for JANET (ASN 786) look promising. Bearing in mind that the large increase in infections coincides with the start of the academic year, and that numbers will start to naturally decrease towards the holiday period, the overall trend still appears to be downward. The numbers are very favorable compared to similarly sized commercial providers.

JANET CSIRT have more information on Conficker, how to detect and investigation infections and protect your network.

Image provided by Shadowserver.org